This update contains numerous updates to the Active Response system, it is recommended that you follow the update procedure outlined below for the best results.

Changelog
- Add in root login check enable/disable
- Add time to blocklist display in ASL Web
- Update to asl-firewall, repositions blacklists and add support to clear the active response tables
- Update to ASL Web, database errors are now reported directly in the Event viewer.
- Update to ASL Web, Increases line size limit on waf rule import to 20kb
- Update to ASL Web, logic for forced waf handling in security event detailed view
- Bugfix #XXX, calculation adjustment for the repeat-offenders system. This is tracked in minutes, whereas SHUN_TIME is tracked in seconds.

To Upgrade:
1) Upgrade to ASL 3.0.9
yum upgrade asl asl-web

2) Clear your firewall rules, the following is the default method in RHEL, CentOS, Cloudlinux and Scientific Linux. If you are using a 3rd party firewall management system, please consult that vendor on the appropriate method to reload their rules.
service iptables stop

3) Reload the firewall policy
service iptables start

4) Reload the asl-firewall
service asl-firewall start

5) update the ASL security policy
asl -s -f

6) Restart OSSEC:
service ossec-hids stop
service ossec-hids start

Server upgraded to asl 3.0.9 overnight, unable to log-in to ASL GUI this morning. Followed instructions posted here and at https://www.atomicorp.com/wiki/index.ph ... leshooting and double checked/re-installed everything, but when connecting to port 3000 just get empty/blank/white page in every web browser.

Tortix is installed and running:










No other errors being reported. Is there an ASL error log to further diagnose?
Thanks

Same here. 3.0.9 seems to have broken the GUI

Probably a false alarm, don't panic, I'm still investigating, but after this update it looks like my ossec-hids local_rules.conf rules are being ignored for some inexplicable reason.

Also found a bunch of IPs in the blocklist that had not triggered any level 7 events. This was before I read the instructions here to do the firewall reload, however - I'm still investigating the cause.

Anyway, like I say, probably a false alarm, but nevertheless it would be sensible for people to take a quick look at your blocklists and also see if any custom rules (I have some that ignore stupid spamassassin config line errors) are still in effect.

I do have to say that an update that might be automatically triggered overnight but requires additional steps (clearing the firewall, etc etc) seems not to be the best idea to me? Or are those additional steps just to be safe, as opposed to be being really important?

@Kalimari -- you posted 3000 rather than 30000 in your email as the port you used. Was that just a typo?
@Highland & Kalimari -- Your post came in after I finished my reply. So Obviously my comment about the 3000 as opposed to 3000 is invalid. But just so you know, mine is OK on three systems (Centos 4, 32bit). Have you tried a different browser, in case it is some wierd cache issue?

The port number is right (I have it saved in a bookmark). And it's only one server. The other is just fine. Very strange

Hmm.. Yes, strange! And I don't know how to restart the gui, which would be the next thing I'd try. The service used to be called asl-httpd or something like that but I can't find anything obvious in init.d.

I can confirm that my local_rules.xml seems to be being ignored on three systems. I have no idea why.
ossec-hids restart doesn't make any difference. The rules I exclude are the correct rules - they have not changed according to the GUI.

Anyway, I've just realised this thread is in the announcements topic. Oops. Sorry guys!

Sorry faris, yes typo! the correct port (30000) was shown in the commands posted after. Have a case raised on this issue via support portal.
Also had an opportunity to investigate further, in particular the scripts used for GUI, the problem on my system is some new db tables are required, but not all could be created due to a MySQL bug (I think, have not received response from Atomic Support to confirm yet). Check if you have a bunch of new pgui_* tables in the tortix database, in particular see if pgui_hids_cat has been created (missing for me).

Not wanting to post too much more detailed info than that on a public forum, pm me if you need more specific info to compare.